Add conserve mode for VPC offerings #12487

nvazquez · 2026-01-21T15:28:02Z

Description

This PR extends the conserve mode for VPCs tiers added on the previous PRs: #8309, #10744 by allowing:

If the VPC tier offering uses conserve mode, then the public IP used for Source NAT can be reused for multiple services (it was previously restricted to Source NAT only)

This PR also introduces the following changes:

Introduce conserve mode for VPC offerings
When a VPC is created from a VPC offering using conserve mode: public IP rules can be created on different VPC tiers (when conserve mode = false, the rules are restricted to a single VPC tier).

Fixes: #8317

Types of changes

Breaking change (fix or feature that would cause existing functionality to change)
New feature (non-breaking change which adds functionality)
Bug fix (non-breaking change which fixes an issue)
Enhancement (improves an existing feature and functionality)
Cleanup (Code refactoring and cleanup, that may add test cases)
Build/CI
Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

Major
Minor

Bug Severity

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

nvazquez · 2026-01-21T15:28:46Z

@blueorangutan package

blueorangutan · 2026-01-21T15:30:36Z

@nvazquez a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

codecov · 2026-01-21T15:36:23Z

Codecov Report

❌ Patch coverage is 6.89655% with 54 lines in your changes missing coverage. Please review.
✅ Project coverage is 17.85%. Comparing base (1b0a036) to head (45eba18).
⚠️ Report is 132 commits behind head on main.

Files with missing lines	Patch %	Lines
...om/cloud/network/firewall/FirewallManagerImpl.java	14.28%	7 Missing and 5 partials ⚠️
...n/java/com/cloud/network/IpAddressManagerImpl.java	0.00%	8 Missing and 2 partials ⚠️
...e/cloudstack/api/response/VpcOfferingResponse.java	0.00%	6 Missing ⚠️
...main/java/com/cloud/network/vpc/VpcOfferingVO.java	0.00%	6 Missing ⚠️
...ck/api/command/admin/vpc/CreateVPCOfferingCmd.java	0.00%	3 Missing ⚠️
...rg/apache/cloudstack/api/response/VpcResponse.java	0.00%	3 Missing ⚠️
...java/com/cloud/api/query/vo/VpcOfferingJoinVO.java	0.00%	3 Missing ⚠️
...loud/network/lb/LoadBalancingRulesManagerImpl.java	0.00%	3 Missing ⚠️
...ain/java/com/cloud/network/vpc/VpcManagerImpl.java	40.00%	2 Missing and 1 partial ⚠️
...and/user/firewall/CreatePortForwardingRuleCmd.java	0.00%	1 Missing ⚠️
... and 4 more

Additional details and impacted files

@@            Coverage Diff             @@
##               main   #12487    +/-   ##
==========================================
  Coverage     17.84%   17.85%            
- Complexity    15980    15997    +17     
==========================================
  Files          5929     5930     +1     
  Lines        531084   531511   +427     
  Branches      64914    64989    +75     
==========================================
+ Hits          94783    94882    +99     
- Misses       425686   425999   +313     
- Partials      10615    10630    +15

Flag	Coverage Δ
uitests	`3.58% <ø> (-0.01%)`	⬇️
unittests	`18.94% <6.89%> (+<0.01%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

blueorangutan · 2026-01-21T16:05:08Z

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 16471

nvazquez · 2026-01-21T18:58:21Z

@blueorangutan package

blueorangutan · 2026-01-21T19:00:35Z

@nvazquez a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

blueorangutan · 2026-01-21T19:40:01Z

Packaging result [SF]: ✖️ el8 ✖️ el9 ✔️ debian ✖️ suse15. SL-JID 16473

nvazquez · 2026-01-21T20:31:01Z

@blueorangutan package

blueorangutan · 2026-01-21T20:32:36Z

@nvazquez a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

blueorangutan · 2026-01-21T21:10:55Z

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✖️ debian ✔️ suse15. SL-JID 16475

nvazquez · 2026-01-21T21:12:43Z

@blueorangutan test keepEnv

blueorangutan · 2026-01-21T21:14:34Z

@nvazquez a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

blueorangutan · 2026-01-22T13:29:06Z

[SF] Trillian test result (tid-15239)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 55566 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12487-t15239-kvm-ol8.zip
Smoke tests completed. 147 look OK, 3 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_03_deploy_and_scale_kubernetes_cluster	`Failure`	26.70	test_kubernetes_clusters.py
test_02_list_cpvm_vm	`Failure`	0.03	test_ssvm.py
test_04_cpvm_internals	`Failure`	0.04	test_ssvm.py
test_01_redundant_vpc_site2site_vpn	`Failure`	392.36	test_vpc_vpn.py

nvazquez · 2026-01-27T05:13:52Z

@blueorangutan package

blueorangutan · 2026-01-27T05:16:05Z

@nvazquez a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

blueorangutan · 2026-01-27T06:00:04Z

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

blueorangutan · 2026-01-27T06:51:19Z

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✖️ debian ✔️ suse15. SL-JID 16549

weizhouapache · 2026-01-27T08:03:57Z

@blueorangutan package

blueorangutan · 2026-01-27T08:06:05Z

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

weizhouapache

@nvazquez

can we create VPC offering with conserve mode via API and UI ?
can you add smoke tests ?
- source nat can be used by vpc tiers
- other public Ips too

engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql

blueorangutan · 2026-01-27T08:52:37Z

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16553

DaanHoogland · 2026-01-29T15:43:47Z

server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java

+            // (except for VPCs with conserve mode = true)
+            if ((!isNewRuleOnVpcNetwork || !isVpcConserveModeEnabled)
+                    && rule.getNetworkId() != newRule.getNetworkId() && rule.getState() != State.Revoke) {
+                String errMsg = String.format("New rule is for a different network than what's specified in rule %s", rule.getXid());
+                if (isNewRuleOnVpcNetwork) {
+                    errMsg += String.format(" - VPC id=%s is not using conserve mode", newRuleNetwork.getVpcId());
+                }
+                throw new NetworkRuleConflictException(errMsg);
            }


DaanHoogland · 2026-01-29T15:44:32Z

server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java

+        NetworkVO newRuleNetwork = _networkDao.findById(newRule.getNetworkId());
+        if (newRuleNetwork == null) {
+            throw new InvalidParameterValueException("Unable to create firewall rule as cannot find network by id=" + newRule.getNetworkId());
+        }
+        boolean isNewRuleOnVpcNetwork = newRuleNetwork.getVpcId() != null;
+        boolean isVpcConserveModeEnabled = false;
+        if (isNewRuleOnVpcNetwork) {
+            VpcOfferingVO vpcOffering = vpcOfferingDao.findById(newRuleNetwork.getVpcId());
+            isVpcConserveModeEnabled = vpcOffering != null && vpcOffering.isConserveMode();
+        }


new method(s)?

RosiKyu

PR needs some fixes:

Issues Identified:

The conservemode parameter is not being passed from API command to the service layer (value not saved to DB)
The conservemode field is not being returned in the API response (VpcOfferingResponse)

TC1: Create VPC Offering with Conserve Mode = true

Objective: Verify VPC offering can be created with conserve mode enabled and the field is properly stored and returned via API.

Test Steps:

Create VPC offering with conservemode=true parameter
Verify the offering via list vpcofferings API
Verify the value is stored correctly in the database

Expected Result:

VPC offering is created successfully
API response includes conservemode: true
Database shows conserve_mode = 1

Actual Result:

VPC offering created successfully with ID b9b783b2-b1fb-4588-b383-ff36cc9e54ab
BUG: API response does NOT include conservemode field at all
BUG: Database shows conserve_mode = 0 instead of 1 despite passing conservemode=true

Status: Failed

Test Evidence:

(localcloud) 🐱 > create vpcoffering name="Test-Conserve-Mode-VPC-Offering" displaytext="VPC Offering with Conserve Mode Enabled" supportedservices="Dhcp,Dns,SourceNat,PortForwarding,Lb,UserData,StaticNat,NetworkACL" conservemode=true
{
  "vpcoffering": {
    "created": "2026-01-30T09:02:54+0000",
    "displaytext": "VPC Offering with Conserve Mode Enabled",
    "distributedvpcrouter": false,
    "fornsx": false,
    "id": "b9b783b2-b1fb-4588-b383-ff36cc9e54ab",
    "internetprotocol": "IPv4",
    "isdefault": false,
    "name": "Test-Conserve-Mode-VPC-Offering",
    "service": [
      {
        "name": "Dhcp",
        "provider": [
          {
            "name": "VpcVirtualRouter"
          }
        ]
      },
      {
        "name": "StaticNat",
        "provider": [
          {
            "name": "VpcVirtualRouter"
          }
        ]
      },
      {
        "name": "UserData",
        "provider": [
          {
            "name": "VpcVirtualRouter"
          }
        ]
      },
      {
        "name": "SourceNat",
        "provider": [
          {
            "name": "VpcVirtualRouter"
          }
        ]
      },
      {
        "name": "Lb",
        "provider": [
          {
            "name": "VpcVirtualRouter"
          }
        ]
      },
      {
        "name": "NetworkACL",
        "provider": [
          {
            "name": "VpcVirtualRouter"
          }
        ]
      },
      {
        "name": "Dns",
        "provider": [
          {
            "name": "VpcVirtualRouter"
          }
        ]
      },
      {
        "name": "PortForwarding",
        "provider": [
          {
            "name": "VpcVirtualRouter"
          }
        ]
      }
    ],
    "specifyasnumber": false,
    "state": "Disabled",
    "supportsregionLevelvpc": false
  }
}

(localcloud) 🐱 > list vpcofferings name="Test-Conserve-Mode-VPC-Offering"
{
  "count": 1,
  "vpcoffering": [
    {
      "created": "2026-01-30T09:02:54+0000",
      "displaytext": "VPC Offering with Conserve Mode Enabled",
      "distributedvpcrouter": false,
      "fornsx": false,
      "id": "b9b783b2-b1fb-4588-b383-ff36cc9e54ab",
      "internetprotocol": "IPv4",
      "isdefault": false,
      "name": "Test-Conserve-Mode-VPC-Offering",
      "service": [...],
      "specifyasnumber": false,
      "state": "Disabled",
      "supportsregionLevelvpc": false
    }
  ]
}

mysql> SELECT id, name, conserve_mode FROM cloud.vpc_offerings WHERE name='Test-Conserve-Mode-VPC-Offering';
+----+---------------------------------+---------------+
| id | name                            | conserve_mode |
+----+---------------------------------+---------------+
|  8 | Test-Conserve-Mode-VPC-Offering |             0 |
+----+---------------------------------+---------------+
1 row in set (0.00 sec)

nvazquez · 2026-01-30T15:14:38Z

@blueorangutan package

blueorangutan · 2026-01-30T15:16:04Z

@nvazquez a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

blueorangutan · 2026-01-30T16:04:20Z

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16654

nvazquez · 2026-01-31T22:16:56Z

@blueorangutan test

blueorangutan · 2026-01-31T22:18:03Z

@nvazquez a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

blueorangutan · 2026-02-01T12:53:09Z

[SF] Trillian test result (tid-15348)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 49809 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12487-t15348-kvm-ol8.zip
Smoke tests completed. 147 look OK, 3 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
ContextSuite context=TestListIdsParams>:teardown	`Error`	1.15	test_list_ids_parameter.py
test_01_snapshot_root_disk	`Error`	5.95	test_snapshots.py
test_02_list_snapshots_with_removed_data_store	`Error`	48.80	test_snapshots.py
test_02_list_snapshots_with_removed_data_store	`Error`	48.80	test_snapshots.py
ContextSuite context=TestSnapshotStandaloneBackup>:teardown	`Error`	27.75	test_snapshots.py
test_01_snapshot_usage	`Error`	25.80	test_usage.py
test_01_vpn_usage	`Error`	1.10	test_usage.py

nvazquez · 2026-02-01T16:50:25Z

@blueorangutan test keepEnv

blueorangutan · 2026-02-01T16:52:04Z

@nvazquez a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

blueorangutan · 2026-02-02T07:38:26Z

[SF] Trillian test result (tid-15355)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 50545 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12487-t15355-kvm-ol8.zip
Smoke tests completed. 147 look OK, 3 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
ContextSuite context=TestListIdsParams>:teardown	`Error`	1.11	test_list_ids_parameter.py
test_01_snapshot_root_disk	`Error`	8.04	test_snapshots.py
test_02_list_snapshots_with_removed_data_store	`Error`	48.59	test_snapshots.py
test_02_list_snapshots_with_removed_data_store	`Error`	48.59	test_snapshots.py
ContextSuite context=TestSnapshotStandaloneBackup>:teardown	`Error`	29.53	test_snapshots.py
test_01_snapshot_usage	`Error`	28.82	test_usage.py
test_01_vpn_usage	`Error`	1.09	test_usage.py

Copilot

Pull request overview

This PR extends “IP conserve mode” behavior into VPC offerings and relaxes certain per-tier restrictions so that, when conserve mode is enabled, a VPC’s Source NAT public IP can be reused for additional services and public-IP rules can be created across multiple VPC tiers.

Changes:

Add conservemode to VPC offerings end-to-end (DB schema/view/entity, API params/responses, UI create form + details).
Adjust backend rule/network selection and conflict checks to allow cross-tier usage in VPC conserve mode (PF/LB/firewall paths).
Update UI logic for Public IP / PF / LB screens to reflect conserve-mode behavior (tier selection and tab availability).

Reviewed changes

Copilot reviewed 26 out of 26 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
ui/src/views/offering/AddVpcOffering.vue	Adds a Conserve Mode switch and passes `conservemode` to `createVPCOffering`.
ui/src/views/network/PublicIpResource.vue	Changes tab filtering for VPC SourceNAT IPs based on VPC offering conserve mode.
ui/src/views/network/PortForwarding.vue	Allows tier selection when VPC conserve mode is enabled; uses VPC offering conserve mode flag.
ui/src/views/network/LoadBalancing.vue	Allows tier selection when VPC conserve mode is enabled; uses VPC offering conserve mode flag.
ui/src/config/section/offering.js	Shows `conservemode` in VPC offering details.
server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java	Relaxes cross-network firewall-rule conflict restriction for VPC conserve mode.
server/src/test/java/com/cloud/network/firewall/FirewallManagerTest.java	Updates unit test setup for new network lookup in conflict detection.
server/src/main/java/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java	Threads a `networkId` parameter to support VPC-tier-aware LB creation.
engine/components-api/src/main/java/com/cloud/network/lb/LoadBalancingRulesManager.java	Updates API surface to include `networkId` parameter.
server/src/main/java/com/cloud/network/IpAddressManagerImpl.java	Adjusts Source NAT detection when associating IPs within VPCs.
api/src/main/java/org/apache/cloudstack/api/command/admin/vpc/CreateVPCOfferingCmd.java	Adds `conservemode` parameter for VPC offering creation.
engine/schema/src/main/java/com/cloud/network/vpc/VpcOfferingVO.java	Persists `conserve_mode` on VPC offerings.
engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql	Adds `conserve_mode` column to `vpc_offerings`.
engine/schema/src/main/resources/META-INF/db/views/cloud.vpc_offering_view.sql	Exposes `conserve_mode` via VPC offering DB view.
server/src/main/java/com/cloud/api/query/vo/VpcOfferingJoinVO.java	Exposes `conserve_mode` on the VPC offering join view VO.
server/src/main/java/com/cloud/api/query/dao/VpcOfferingJoinDaoImpl.java	Populates conserve mode in `VpcOfferingResponse`.
api/src/main/java/org/apache/cloudstack/api/response/VpcOfferingResponse.java	Adds `conservemode` field to VPC offering response.
api/src/main/java/org/apache/cloudstack/api/response/VpcResponse.java	Adds `vpcofferingconservemode` field to VPC response.
server/src/main/java/com/cloud/api/ApiResponseHelper.java	Sets `vpcofferingconservemode` in VPC response.
api/src/main/java/org/apache/cloudstack/api/ApiConstants.java	Adds `vpcofferingconservemode` constant.
api/src/main/java/com/cloud/network/vpc/VpcOffering.java	Adds `isConserveMode()` to VPC offering interface.
api/src/main/java/com/cloud/network/vpc/VpcProvisioningService.java	Extends createVpcOffering signature to include conserve mode.
server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java	Plumbs conserve mode into VPC offering creation/persist.
api/src/main/java/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java	Adjusts network-id resolution behavior for VPC IPs.
plugins/network-elements/elastic-loadbalancer/.../LoadBalanceRuleHandler.java	Updates LB manager call to include networkId.
plugins/network-elements/juniper-contrail/.../ContrailManagerImpl.java	Updates VPC offering creation call signature.

Comments suppressed due to low confidence (1)

ui/src/views/network/PortForwarding.vue:649

The networkId selection logic for createPortForwardingRule is inverted due to parentheses: !('associatednetworkid' in this.resource || this.vpcConserveMode) becomes true only when BOTH there is no associated network AND conserve mode is false. This will incorrectly choose associatednetworkid when conserve mode is enabled (the opposite of what the UI/feature intends). Use the same condition used elsewhere in the file: no associated network OR vpcConserveMode => selectedTier; otherwise associatednetworkid.

      this.loading = true
      this.addVmModalVisible = false
      const networkId = ('vpcid' in this.resource && (!('associatednetworkid' in this.resource || this.vpcConserveMode))) ? this.selectedTier : this.resource.associatednetworkid
      postAPI('createPortForwardingRule', {
        ...this.newRule,
        ipaddressid: this.resource.id,
        networkid: networkId

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-02-08T15:02:10Z

server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java

@@ -443,8 +458,14 @@ public void detectRulesConflict(FirewallRule newRule) throws NetworkRuleConflict
            }

            // Checking if the rule applied is to the same network that is passed in the rule.
-            if (rule.getNetworkId() != newRule.getNetworkId() && rule.getState() != State.Revoke) {
-                throw new NetworkRuleConflictException("New rule is for a different network than what's specified in rule " + rule.getXid());
+            // (except for VPCs with conserve mode = true)
+            if ((!isNewRuleOnVpcNetwork || !isVpcConserveModeEnabled)
+                    && rule.getNetworkId() != newRule.getNetworkId() && rule.getState() != State.Revoke) {
+                String errMsg = String.format("New rule is for a different network than what's specified in rule %s", rule.getXid());
+                if (isNewRuleOnVpcNetwork) {
+                    errMsg += String.format(" - VPC id=%s is not using conserve mode", newRuleNetwork.getVpcId());
+                }
+                throw new NetworkRuleConflictException(errMsg);


The new VPC-conserve-mode branch in detectRulesConflict isn’t covered by unit tests: there are no assertions for (1) conserve mode enabled allowing rules across different VPC tiers and (2) conserve mode disabled still rejecting cross-network rules. Adding focused tests here would prevent regressions in the conflict detection logic.

Copilot · 2026-02-08T15:02:10Z

ui/src/views/network/PortForwarding.vue

        <span
-          v-if="'vpcid' in resource && !('associatednetworkid' in resource)">
+          v-if="'vpcid' in resource && (!('associatednetworkid' in resource) || this.vpcConserveMode)">
          <strong>{{ $t('label.select.tier') }} </strong>
          <a-select
-            :v-focus="'vpcid' in resource && !('associatednetworkid' in resource)"
+            :v-focus="'vpcid' in resource && (!('associatednetworkid' in resource) || this.vpcConserveMode)"
            v-model:value="selectedTier"


Template expressions should not reference component state via this (in Vue 3 templates this is not in scope), so this.vpcConserveMode will evaluate incorrectly and can break the tier selector visibility/focus. Drop this. and reference vpcConserveMode directly in the v-if / focus expressions.

Copilot · 2026-02-08T15:02:11Z

ui/src/views/network/PortForwarding.vue

          <strong>{{ $t('label.select.tier') }} </strong>
          <a-select
-            :v-focus="'vpcid' in resource && !('associatednetworkid' in resource)"
+            :v-focus="'vpcid' in resource && (!('associatednetworkid' in resource) || this.vpcConserveMode)"


:v-focus is treated as a bound attribute, not a directive. If the intent is to conditionally apply the focus directive, this should be v-focus="..." (matching the other uses of v-focus in the UI), otherwise it won’t do anything.

Suggested change

:v-focus="'vpcid' in resource && (!('associatednetworkid' in resource) || this.vpcConserveMode)"

v-focus="'vpcid' in resource && (!('associatednetworkid' in resource) || this.vpcConserveMode)"

Copilot · 2026-02-08T15:02:11Z

ui/src/views/network/PortForwarding.vue

      getAPI('listNics', {
        virtualmachineid: e.target.value,
-        networkId: ('vpcid' in this.resource && !('associatednetworkid' in this.resource)) ? this.selectedTier : this.resource.associatednetworkid
+        networkId: ('vpcid' in this.resource && (!('associatednetworkid' in this.resource) || this.vpcConserveMode)) ? this.selectedTier : this.resource.associatednetworkid


The listNics call uses networkId as the parameter name, but other listNics usages in the UI (and the API) use networkid. Using the wrong key can cause the backend to ignore the network filter and return the wrong NICs (or none). Rename the parameter to networkid for consistency with other calls.

Suggested change

networkId: ('vpcid' in this.resource && (!('associatednetworkid' in this.resource) || this.vpcConserveMode)) ? this.selectedTier : this.resource.associatednetworkid

networkid: ('vpcid' in this.resource && (!('associatednetworkid' in this.resource) || this.vpcConserveMode)) ? this.selectedTier : this.resource.associatednetworkid

Copilot · 2026-02-08T15:02:11Z

ui/src/views/network/LoadBalancing.vue

        <span
-          v-if="'vpcid' in resource && !('associatednetworkid' in resource)">
+          v-if="'vpcid' in resource && (!('associatednetworkid' in resource) || this.vpcConserveMode)">
          <strong>{{ $t('label.select.tier') }} </strong>
          <a-select
-            v-focus="'vpcid' in resource && !('associatednetworkid' in resource)"
+            v-focus="'vpcid' in resource && (!('associatednetworkid' in resource) || this.vpcConserveMode)"
            v-model:value="selectedTier"


Same as PortForwarding.vue: this.vpcConserveMode in the template is not valid in Vue 3 template scope and can break the tier selector visibility/focus. Reference vpcConserveMode directly (without this).

Copilot · 2026-02-08T15:02:11Z

ui/src/views/network/PublicIpResource.vue

      if (this.resource && this.resource.vpcid) {
-        // VPC IPs with source nat have only VPN
-        if (this.resource.issourcenat) {
+        const vpc = await this.fetchVpc()
+
+        // VPC IPs with source nat have only VPN when VPC offering conserve mode = false
+        if (this.resource.issourcenat && vpc.vpcofferingconservemode === false) {
          this.tabs = this.defaultTabs.concat(this.$route.meta.tabs.filter(tab => tab.name === 'vpn'))


filterTabs assumes fetchVpc always returns a VPC object and that vpcofferingconservemode is always present. If listVPCs returns no results (or the call fails), vpc can be null and vpc.vpcofferingconservemode will throw, leaving the page stuck loading. Also, comparing === false treats undefined as “conserve mode enabled”; for safer defaults/backwards compatibility, treat missing/undefined as false (i.e., restrict SourceNAT IPs unless the flag is explicitly true). Handle null/error from fetchVpc (try/catch or default object) and use a boolean-safe check.

Copilot · 2026-02-08T15:02:12Z

server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java

+            VpcOfferingVO vpcOffering = vpcOfferingDao.findById(newRuleNetwork.getVpcId());
+            isVpcConserveModeEnabled = vpcOffering != null && vpcOffering.isConserveMode();


In detectRulesConflict, the code uses newRuleNetwork.getVpcId() (a VPC id) to look up a VpcOffering via vpcOfferingDao.findById(...). This will query the vpc_offerings table by offering id and can return the wrong offering (or null), causing conserve mode detection to be incorrect. Fetch the VPC (e.g., via VpcDao using the VPC id from the network) and then look up the offering by vpc.getVpcOfferingId(), or otherwise resolve the offering id explicitly before calling vpcOfferingDao.

Suggested change

VpcOfferingVO vpcOffering = vpcOfferingDao.findById(newRuleNetwork.getVpcId());

isVpcConserveModeEnabled = vpcOffering != null && vpcOffering.isConserveMode();

com.cloud.network.vpc.VpcVO vpc = _entityMgr.findById(com.cloud.network.vpc.VpcVO.class, newRuleNetwork.getVpcId());

if (vpc != null && vpc.getVpcOfferingId() != null) {

VpcOfferingVO vpcOffering = vpcOfferingDao.findById(vpc.getVpcOfferingId());

isVpcConserveModeEnabled = vpcOffering != null && vpcOffering.isConserveMode();

}

Fix conserve mode for VPC Source NAT and extend rules for VPC tiers

ca62353

boring-cyborg bot added component:api component:networking component:UI component:vpc labels Jan 21, 2026

Fix unit test

5ade2b3

Fixes

3fd969b

nvazquez marked this pull request as ready for review January 27, 2026 05:09

nvazquez requested review from DaanHoogland, Pearl1594, shwstppr, sureshanaparti and weizhouapache January 27, 2026 05:10

nvazquez added this to the 4.23.0 milestone Jan 27, 2026

nvazquez changed the title ~~Fix conserve mode for VPC Source NAT IP and extend rules for VPC tiers~~ Fix conserve mode for VPC Source NAT IP and extend conserve mode for VPC offerings Jan 27, 2026

sureshanaparti added the status:needs-testing label Jan 27, 2026

weizhouapache reviewed Jan 27, 2026

View reviewed changes

engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql Outdated Show resolved Hide resolved

engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql Outdated Show resolved Hide resolved

Pass conserve mode on create VPC Offering

9e3eeb7

nvazquez marked this pull request as draft January 27, 2026 15:11

nvazquez changed the title ~~Fix conserve mode for VPC Source NAT IP and extend conserve mode for VPC offerings~~ Add conserve mode for VPC offerings Jan 29, 2026

Revert default VPC offerings conserve mode

45eba18

DaanHoogland reviewed Jan 29, 2026

View reviewed changes

RosiKyu self-assigned this Jan 29, 2026

RosiKyu added the status:testing label Jan 30, 2026

RosiKyu suggested changes Jan 30, 2026

View reviewed changes

RosiKyu added status:needs-work and removed status:testing status:needs-testing labels Jan 30, 2026

weizhouapache requested a review from Copilot February 8, 2026 14:51

Copilot started reviewing on behalf of weizhouapache February 8, 2026 14:52 View session

Copilot AI reviewed Feb 8, 2026

View reviewed changes

	:v-focus="'vpcid' in resource && (!('associatednetworkid' in resource) \|\| this.vpcConserveMode)"
	v-focus="'vpcid' in resource && (!('associatednetworkid' in resource) \|\| this.vpcConserveMode)"

	networkId: ('vpcid' in this.resource && (!('associatednetworkid' in this.resource) \|\| this.vpcConserveMode)) ? this.selectedTier : this.resource.associatednetworkid
	networkid: ('vpcid' in this.resource && (!('associatednetworkid' in this.resource) \|\| this.vpcConserveMode)) ? this.selectedTier : this.resource.associatednetworkid

		VpcOfferingVO vpcOffering = vpcOfferingDao.findById(newRuleNetwork.getVpcId());
		isVpcConserveModeEnabled = vpcOffering != null && vpcOffering.isConserveMode();

Add conserve mode for VPC offerings #12487

Are you sure you want to change the base?

Add conserve mode for VPC offerings #12487

Uh oh!

Conversation

nvazquez commented Jan 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Types of changes

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

Bug Severity

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

Uh oh!

nvazquez commented Jan 21, 2026

Uh oh!

blueorangutan commented Jan 21, 2026

Uh oh!

codecov bot commented Jan 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

blueorangutan commented Jan 21, 2026

Uh oh!

nvazquez commented Jan 21, 2026

Uh oh!

blueorangutan commented Jan 21, 2026

Uh oh!

blueorangutan commented Jan 21, 2026

Uh oh!

nvazquez commented Jan 21, 2026

Uh oh!

blueorangutan commented Jan 21, 2026

Uh oh!

blueorangutan commented Jan 21, 2026

Uh oh!

nvazquez commented Jan 21, 2026

Uh oh!

blueorangutan commented Jan 21, 2026

Uh oh!

blueorangutan commented Jan 22, 2026

Uh oh!

nvazquez commented Jan 27, 2026

Uh oh!

blueorangutan commented Jan 27, 2026

Uh oh!

blueorangutan commented Jan 27, 2026

Uh oh!

blueorangutan commented Jan 27, 2026

Uh oh!

weizhouapache commented Jan 27, 2026

Uh oh!

blueorangutan commented Jan 27, 2026

Uh oh!

weizhouapache left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

blueorangutan commented Jan 27, 2026

Uh oh!

DaanHoogland Jan 29, 2026

Choose a reason for hiding this comment

Uh oh!

DaanHoogland Jan 29, 2026

Choose a reason for hiding this comment

Uh oh!

RosiKyu left a comment

Choose a reason for hiding this comment

TC1: Create VPC Offering with Conserve Mode = true

Uh oh!

nvazquez commented Jan 30, 2026

Uh oh!

blueorangutan commented Jan 30, 2026

Uh oh!

blueorangutan commented Jan 30, 2026

Uh oh!

nvazquez commented Jan 31, 2026

nvazquez commented Jan 21, 2026 •

edited

Loading

codecov bot commented Jan 21, 2026 •

edited

Loading